Cloud storage service providers often store data encrypted by an encryption service provider. In such a case, the cloud storage service provider never has access to user data, only to the encrypted data.
The encryption service provider has access to the data only when credential for the cloud storage service is provided by the user. As the user holds the credential, he is in control of his/her data.
Traditionally, a user credential such as password is used to authenticate and authorize access to a service. This user credential is typically the basis for deriving an encryption credential (e.g. encryption key) which is used for encrypting the user data. The derivation features are out of scope of the invention and will thus not be addressed in details here.
According to such derivation features, the encryption credential is classically derived from the user's login credential at the encryption server. Typically, the ‘secret’ input to this derivation function is a user password. Without this ‘secret’, the server cannot generate the encryption key.
In the case of loss, a second factor of authentication, or an out-of-band mechanism is sufficient to reset the first credential. Once the credential is reset, it is however necessary to be able to recover all the data previously stored encrypted.
The need for non-traditional credential recovery method arises in the context of such credentials being used also to derive keys for encrypting data. In such context, it is not possible to recover the keys without the original credential. It is thus not possible to recover the previously stored data.
Further alternative and advantageous solutions would, accordingly, be desirable in the art.